File name: uwbs_tokengeneratorn.html
Token generator configuration settings
Use this page to specify the information for the token
generator. The information is used at the generator side only to generate
the security token.
To view this administrative console page for the
cell level, complete the following steps:
- Click .
- Under JAX-RPC Default Generator Bindings, click or click New to create a new
token generator.
To view this administrative console page for the server level,
complete the following steps:
- Click .
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere
Application Server version 6.1 or earlier, click
Web services:
Default bindings for Web Services Security.
mixv
- Under JAX-RPC Default Generator Bindings, click or click New to create a new token generator.
- Click .
- Under Modules, click .
- Under Additional properties, you can access the token generator
information for the following bindings:
- For the Request generator (sender) binding, click Web
services: Client security bindings. Under Request generator
(sender) binding, click Edit custom.
- For the Response generator (sender) binding, click Web
services: Server security bindings. Under Response generator
(sender) binding, click Edit custom.
- Click New to create a new token generator
or click the name of an existing token generator name to specify its
settings.
To view this administrative console page for the application level,
complete the following steps:
- Click .
- Under Modules, click .
- Under Web Services Security Properties, click Web services:
Client security bindings.
- Under Request generator (sender) binding, click Edit
custom.
- Under Additional properties, click .
Before specifying additional properties, specify a value in the Token
generator name and the Token generator class
name fields.
Token generator name
Specifies the name of the token generator configuration.
For example, the default X509 token generator names are either gen_enctgen for
encrypting or gen_signtgen for signing. Or,
a custom token generator name might be sig_tgen for
signing.
Token generator class name
Specifies the name of the token generator implementation
class.
This class must implement the com.ibm.wsspi.wssecurity.token.TokenGeneratorComponent interface.
Token generator class name
Specifies the name of the token generator implementation
class.
Certificate path
Specifies the certificate revocation list (CRL) that is
used for generating a security token wrapped in a PKCS#7 token type
with CRL.
When the token generator is not for a PKCS#7 token type, you must
select None. When the token generator is for
the PKCS#7 token type and you want to package CRL in the security
token, select Dedicated signing information and
specify the CRL for the collection certificate store.
You can specify a certificate store configuration for the following
bindings on the following levels:
Table 1. Certificate
path binding settings. The certificate is used for signing
messages.
Binding name |
Server level,
cell level, or application level |
Path |
Default generator bindings |
Cell level |
- Click .
- Under Additional properties, click Collection certificate
store.
|
Default generator bindings |
Server level |
- Click .
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using Websphere
Application Server version 6.1 or earlier, click Web services:
Default bindings for Web Services Security. mixv
- Under Additional properties, click Collection certificate
store.
|
Using the collection certificate store, you can configure a related
certificate revocation list by clicking Certificate revocation
list under Additional properties.
Add nonce
Indicates whether nonce is included in the user name token
for the token generator. Nonce is a unique cryptographic
number that is embedded in a message to help stop repeat, unauthorized
attacks of user name tokens.
On the application level, if you select the Add nonce option,
you can specify the following properties under Additional properties:
Table 2. Additional nonce properties. Nonce is used to add additional security to a message.
Property name |
Default value |
Explanation |
com.ibm.ws.wssecurity.config.token.
BasicAuth.Nonce.cacheTimeout |
600 seconds |
Specifies the timeout value, in seconds, for
the nonce value that is cached on the server. |
com.ibm.ws.wssecurity.config.token.
BasicAuth.Nonce.clockSkew |
0 seconds |
Specifies the time, in seconds, before the nonce
time stamp expires. |
com.ibm.ws.wssecurity.config.token.
BasicAuth.Nonce.maxAge |
300 seconds |
Specifies the clock skew value, in seconds,
to consider when the application server checks the timeliness of the
message. |
These properties are available on the administrative console at
the cell and server level. However, on the application level, you
can configure the properties under Additional properties.
This option is displayed on the cell, server, and application levels.
This option is valid only when the generated token type is a user
name token.
Add timestamp
Specifies whether to insert the time stamp into the user
name token.
This option is displayed on the cell, server, and application levels.
This option is valid only when the generated token type is a user
name token.
Value type local name
Specifies the local name of the value type for the generated
token.
For a user name token and an X.509 certificate security token,
this product provides predefined value types. When you specify the
following local names, you do not need to specify the Uniform Resource
Identifier (URI) of value type.
- Username token
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
- X509 certificate token
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
- X509 certificates in a PKIPath
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1
- A list of X509 certificates and CRLs in a PKCS#7
- http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7
- Lightweight Third Party Authentication (LTPA)
- LTPA_PROPAGATION
Important: For LTPA, the value type local
name is LTPA. If you enter LTPA for
the local name, you must specify the http://www.ibm.com/websphere/appserver/tokentype/5.0.2 URI
value in the Value type URI field as well. For LTPA token propagation,
the value type local name is LTPA_PROPAGATION.
If you enter LTPA_PROPAGATION for the local
name, you must specify the http://www.ibm.com/websphere/appserver/tokentype URI
value in the Value type URI field as well. For the other predefined
value types (Username token, X509 certificate token, X509 certificates
in a PKIPath, and a list of X509 certificates and CRLs in a PKCS#7),
the value for the local name field begins with http://.
For example, if you are specifying the user name token for the value
type, enter http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken in
the Value type local name field and then you do not need to enter
a value in the Value type URI field.
When you specify a custom value type for custom tokens, you can
specify the local name and the URI of the quality name (QName) of
the value type. For example, you might specify Custom for
the local name and http://www.ibm.com/custom for
the URI.
Value type URI
Specifies the namespace URI of the value type for the generated
token.
When you specify the token generator for the user name token or
the X.509 certificate security token, you do not need to specify this
option. If you want to specify another token, specify the URI of the
QName of the value type.
The application server provides the following predefined value
type URIs:
- For the LTPA token: http://www.ibm.com/websphere/appserver/tokentype/5.0.2
- For the LTPA token propagation: http://www.ibm.com/websphere/appserver/tokentype
|
